The present disclosure relates generally to a system kernel, and more particularly to methods and systems for handling keys that are stored within kernel memory.
A kernel is a piece of software that that abstracts the hardware so that applications running on the systems do not have to be concerned with hardware details. This is particularly important because the applications may be intended to run on various types of devices, both local and remote. The kernel translates the requests into data processing instructions for the processor and other components of a computer. The kernel also ensures that different applications running on a computer system do not have access to each other's program code except through proper channels. This helps ensure that malicious code does not adversely affect various applications.
The kernel can also maintain secure data such as authentication tokens, encryption keys, and other security related objects. The kernel makes use of kernel memory, which is a designated portion of a computing system's volatile memory space. The kernel memory provides specialized security for the control, storage, and escrow of various encryption and decryption keys used by the system. Specifically, the kernel provides this control by storing the keys inside kernel memory.
Kernel memory is generally treated differently than other memory with respect to paging. Paging is a process whereby blocks of data are moved between a volatile memory store and a non-volatile memory store. This is because there is generally a limited amount of space in the volatile memory store. Thus, data that is designated as pageable is regularly being moved in and out. Software applications are generally stored in non-volatile memory for long-term purposes and loaded into main memory (a volatile memory store) when they are to be executed by the computing system. But, the system is generally configured to not page out the kernel memory for various practical reasons.
Storing various objects such as authentication tokens in the kernel memory portion of main memory can result in various challenges. Particularly, some objects can be relatively large in size. For example, some objects may be one megabyte in size or more. If thousands of such objects are being stored within the kernel memory, then gigabytes of main memory are being used by the kernel memory. This reduces the size of the remaining available memory. This, in turn, causes a less efficient system. Thus, it is desirable to be able to store sophisticated encryption keys within the secure kernel memory, but not take away so much memory from the available memory pool.